Test Your ATT&CK Before The Attack With Guardicore Infection Monkey

The Infection Monkey has a new version and it’s MITREier than ever


Guardicore Labs has been hard at work on adding new features to the Guardicore Infection Monkey. In this post, we will talk about the new MITRE ATT&CK features of the Infection Monkey v1.8.0, which we recently released.

What is Infection Monkey 1.8.0?

The Infection Monkey is a free, open-source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.

We have released a new version which enhances the Monkey’s capabilities. The Monkey now maps its actions to the MITRE ATT&CK knowledge base: It provides a new report with the utilized techniques and recommended mitigations, to help you simulate an APT attack on your network and mitigate real attack paths intelligently.

To see infection Monkey’s new MITRE ATT&CK features in action, watch a video demo highlighting the ATT&CK report:

Now that you know a bit more, we recommend that you download the Infection Monkey while you read this post, so you can start working with it as soon as you are done.

Download Infection Monkey, a free, open source breach and attack simulation tool to evaluate the security posture of your network.Free Download

Why we integrated MITRE ATT&CK and Infection Monkey

The Mitre ATT&CK matrix is a database of attack techniques that adversaries use in real life. Having this information, more and more cybersecurity experts use ATT&CK matrix as a basis for network security tests and assessments. Since Infection Monkey already attempts a hefty number of ATT&CK techniques, we wanted to provide a way to easily configure monkey based on ATT&CK techniques you want to test and to provide more insight about how those techniques were used and how to protect yourself. The end result is a platform where ATT&CK tests can be easily configured, automatically launched and results are aggregated into a single place.

How it works and how you can use it

After downloading and deploying the Monkey, you can run an attack simulation in your network. In doing so, the Monkey utilises attack techniques like known APTs in the wild. This tests your network’s resilience against malware employing these techniques. When the Monkey’s tests have been completed, you get a MITRE ATT&CK status report with all the information you need on each technique to prepare for the next attack.

You can configure which techniques you’d like to use in the MITRE configuration page:

Let’s say you don’t want the Monkey to use T1082 (System Information Discovery). Maybe you don’t want the Monkey to test it since you already know it’s compromisable, so it’s not the focus of your testing right now. Just click to disable (or enable) that technique from the Monkey’s arsenal and click “Submit” to confirm!

Infection Monkey’s MITRE ATT&CK Report

The MITRE ATT&CK report is centred around the ATT&CK matrix:

The Monkey rates your network on the attack techniques it attempted. For each technique, you can get

  • Red: The Monkey successfully used the technique in the simulation. That means your network is vulnerable to this technique being employed.
  • Yellow: The Monkey tried to use the technique, but didn’t manage to. That means your network isn’t vulnerable to the way Monkey employs this technique.

Then, you can see exactly HOW the technique was used in this attack, and also what you should do to mitigate it, by clicking on the technique and seeing the details. For example, let’s look at the “Private keys” technique that’s a part of employing the “Credentials Access” tactic:

Screenshot of the details of one technique in the report, "Private Keys"

In this example, you can see from which machines the Monkey was able to steal SSH keys, and the mitigations recommended, including Restricting File and Directory access and implementing Network Segmentation.

Which techniques are Infection Monkey armed with?

Disclaimer: This list is updated to version 1.8.0 of the Infection Monkey. We will add more techniques in the upcoming releases. Check out our release notes page to stay up to date on the latest changes.

ExecutionCommand-line interface
Execution through Module Load
Execution through API
Service Execution
Defense EvasionBITS Jobs
File Deletion
File and Directory Permissions Modification
Credential accessBrute Force
Credential Dumping
Private Keys
DiscoveryRemote System Discovery
System Information Discovery
System Network Configuration Discovery
Lateral movementExploitation of Remote Services
Pass the Hash
Remote File Copy
Remote Services
CollectionData from Local System
Command and ControlConnection Proxy
Uncommonly Used Port
Multi-hop Proxy
ExfiltrationExfiltration Over Command and Control Channel

Use cases

Understand your network’s resilience to specific attack techniques

The main use case we had in mind when we developed this new Monkey version with the MITRE ATT&CK report is helping you understand which techniques attackers will be able to use in your network and how to mitigate those techniques.

For example, let’s say you’d like to understand how vulnerable you are to attackers using Pass the Hash attacks to move laterally in your network. Pass the Hash is a method of authenticating as a user without actually having the password, but rather stealing the hash and using it in the authentication process. To test that using that Monkey, run the Monkey from one of your Windows instances with high permissions while a user is logged on. If the Monkey is able to log on to another Windows instance in your network using the first user’s credentials, you’ll see that technique and the details in the ATT&CK report.

Verify that your security stops attackers

Another great use case for Monkey’s new ATT&CK assessment capabilities is testing our security solutions and products that claim to mitigate specific ATT&CK techniques. You can run the Monkey in a demo environment with the security solution deployed, and make sure that the techniques that the Monkey is trying to use are blocked (which will cause them to turn up as Yellow in the report) and reported in the Solution’s alert/log system.

Try for yourself

Stay 3 steps ahead of the attackers. Download the new version of the Monkey and test your network. It’s free and open-source.

We also invite you to join the conversation in our Slack channel to ask questions, suggest new features, or just talk to us.

Download Infection Monkey, a free, open source breach and attack simulation tool to evaluate the security posture of your network.Free Download

Get the latest Guardicore news

Sign up to read about the latest in cyber security and learn from the Guardicore team with insights about trends and reducing your risk.


Cyber Threat Intelligence

Get unique information on malicious Internet assets – IP addresses and domain – detected by Guardicore.


Share on facebook
Share on twitter
Share on linkedin
Share on email